Skip to content

sha256, sha512_256: switch to wolfCrypt API#21090

Closed
vszakats wants to merge 10 commits intocurl:masterfrom
vszakats:wolfhash
Closed

sha256, sha512_256: switch to wolfCrypt API#21090
vszakats wants to merge 10 commits intocurl:masterfrom
vszakats:wolfhash

Conversation

@vszakats
Copy link
Copy Markdown
Member

@vszakats vszakats commented Mar 24, 2026
edited
Loading

Replacing the OpenSSL-like compatibility interface, and syncing with
existing API use within lib/wolfssl.c for SHA-256.

Ref: https://www.wolfssl.com/documentation/manuals/wolfssl/group__SHA.html

Follow-up to 28f0932 #21077
Follow-up to 988b352 #21078

This was referenced Mar 24, 2026
Closed
Closed
@vszakats vszakats requested a review from Copilot March 24, 2026 23:19
Copilot AI reviewed Mar 24, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR switches the SHA-256 and SHA-512/256 implementations used under wolfSSL from the OpenSSL-compat EVP interface to the native wolfCrypt APIs, aligning these helpers with existing wolfCrypt usage patterns in the codebase.

Changes:

  • Update lib/sha256.c to use wc_InitSha256 / wc_Sha256Update / wc_Sha256Final when built with wolfSSL.
  • Update lib/curl_sha512_256.c to use wc_InitSha512_256 / wc_Sha512_256Update / wc_Sha512_256Final when built with wolfSSL, and adjust backend-selection comments/logic accordingly.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
lib/sha256.c Replaces wolfSSL EVP-compat SHA-256 usage with wolfCrypt SHA-256 API.
lib/curl_sha512_256.c Replaces wolfSSL EVP-compat SHA-512/256 usage with wolfCrypt SHA-512/256 API and updates backend selection.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

lib/curl_sha512_256.c
Comment on lines +203 to +207
size_t length)
{
Curl_sha512_256_ctx * const ctx = (Curl_sha512_256_ctx *)context;
if(wc_Sha512_256Update(ctx, data, (word32)length))
return CURLE_SSL_CIPHER;
Copy link

Copilot AI Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wc_Sha512_256Update() takes a word32 length, but this code casts from size_t without any bounds check. For inputs > 4GiB this will truncate and compute an incorrect hash. Consider either rejecting length > UINT32_MAX with a clear error, or looping over the input in word32-sized chunks to support large buffers safely.

Copilot uses AI. Check for mistakes.
Copy link
Copy Markdown
Member Author

@vszakats vszakats Mar 24, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Theoretically correct, but I'm fairly sure this function cannot be
called with >4GiB due to pre-existing outer limits.

@vszakats vszakats closed this in ff3251a Mar 25, 2026
@vszakats vszakats deleted the wolfhash branch March 25, 2026 10:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

cryptography

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vszakats